Attackers Go After GPON Routers, Again

Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.